Hey! 👋🏼
Security
Redi School Munich - Spring 2021
Recap!
- Kahoot!
- Callbacks
- Promises
JavaScript is a single threaded language
Only one thing can be run at a time
There is something called the call stack
The callstack can only ever run one thing at a time
Security!
Security
Javascript code can be inspected by users
Generally we shouldn't rely on data coming from the client side
Anything sensitive should be checked in the backend
Cross Origin Resource Sharing (CORS)
Domain names are origins
Two websites are not allowed to talk to each other by default
You are only permitted to share data between the same domain name
CORS Policy
This is configured on the server
This website is allowed to talk with this other website
Cross Site Scripting (XSS)
Around 40% of all cyberattacks are XSS
The attacker manipulates the HTML and JS to trigger malicious code
XSS - Vulnerable areas
- Inputs, text areas
- Any place where we show user inputs
- Query parameters
- Image uploads
XSS - What can we do?
- Sanitize user input
- Encode URL
- Use a Content Security Policy (CSP)
Cross-Site Request Forgery (CSRF)
The attacker tries to impersonate the user
It can include, changing email, password, steal information and more
CSRF - What can we do?
- Properly implement requests on the Backend
- Use a CRSF Token
- Captchas
Content Security Policy (CSP)
Is an added layer of security that helps to detect and mitigate certain types of attacks
Configure the server to return Content-Security-Policy http header
Use the meta tag to configure the policy
Hypertext Transfer Protocol Secure (HTTPS)
HTTPS is basically an HTTP protocol with additional security.
Uses SSL/TSL to secure the information sent to the server
And more...
- Keep error messages generic
- Remember everything that is stored in the browser is insecure
- Don't store sensitive data in the client side
- Check the third party libraries that you use
- Consider using textContent instead of innerHTML
- Avoid iframes
Questions or Feedback?
